Penetration testing, also known as “pentesting” or “ethical hacking”, is a type of security testing used to evaluate the security of a computer system by simulating an attack by a malicious actor. It can be used to detect vulnerabilities, assess risk, and help organizations take preventative measures to protect their data and systems.
There are many ways to categorize pentests into different types including by the type target tested, by the information given to the assessors, or even by the goals of the assessment itself. No single classification approach is the right or wrong way. They are all used for different purposes and many times together when “scoping out” assessment work.
This guide will go in depth into explaining the different types of penetration testing aand when each type is appropriate. By the end, you will have a better understanding of why pentests are a crucial component for any successful cyber security program. You will also learn how to discern which type is best for any given use-case. Let us start by defining what a penetration test actually is before we explore the various types of penetration testing.
What is a penetration test?
Penetration testing is an simulated attack on a computer system or network to test its security. It is done to identify weaknesses in the system that could be exploited by hackers. It involves using specific tools and techniques to try to gain access to the system, and then reporting the results so that the vulnerabilities can be fixed.
Pentesting often gets confused with vulnerability scanning. And, unfortunately, a lot of the time app builders purchase a too-good-to-be-true, cheaply priced $2,000 “pentest” only to find out it was actually a vulnerability scan that they purchased. Penetration testing and vulnerability scanning are two different but important security techniques which are both needed at in any string security program. In a nutshell, vulnerability scanning is more of an automated process that should be performed frequently while penetration testing s a more comprehensive and in-depth process which involves actively attempting to exploit any identified vulnerabilities within a system or network.
The goal of penetration testing is to simulate a real-world attack and uncover potential vulnerabilities before they can be used by an attacker. This is done by examining the system’s security controls and attempting to exploit any weaknesses found. The tester typically uses a variety of tools and techniques to attempt to gain access to sensitive areas of the system and data.
Penetration testing is an important security measure that can help organizations identify and remediate potential security vulnerabilities before malicious hackers can exploit them. It involves a variety of techniques, from reconnaissance to exploitation and privilege escalation. By utilizing these techniques, organizations can ensure their systems and networks are secure and protected from attack. To learn more about what penetration testing is, read our “Penetration Testing – What, Why, And How?” guide.
What are the different ways of categorizing a pen test?
A penetration test can be classified based on the scope involved such as networks, web applications, mobile applications, thin or thick client software, cloud, embedded devices or IoT, wireless systems, physical premises, or even people’s responses. The approach of the penetration test can also impact the type making it either targeted to a specific function/threat or general. The extent of a penetration tester’s prior knowledge about the environment and systems involved can also vary depending on the goals of the assessment. Depending on how much information is accessible to the tester, key in determining the type of test: black box, white box, or gray box.
It is important to know that most of these categories (aside from, maybe the white box vs black box approach types) are not mutually exclusive. It is possible to have an both an internal and external network pentest.
What are the different types of penetration testing by target scope?
Penetration testing is often categorized by scope because the techniques, skills, and approach varies significantly from one type to another. As you can probably guess, a web application pentest will be significantly different to a pentest involving a client-side executable that requires reverse engineering of a binary.
The different types of penetration testing include:
- Network
- Web Application
- API
- Mobile Application
- Host, embeded/IoT device
- Cloud
- Thin or thick client
- Wireless
- Social Engineering
- Physical Penetration Testing
Network
Network penetration testing is a type of security testing that simulates an attack from a malicious hacker or an attacker to identify any security weaknesses in a computer network.
Network penetration testing helps to identify vulnerable aspects of network infrastructure, such as exploitable vulnerabilities in servers, firewalls, switches, and even network listening devices such as printers. This kind of testing can help protect businesses from common network-based attacks, including:
- Firewall misconfiguration or firewall bypass
- Man-in-the-middle (MitM) attacks
- Exploitation of vulnerable IoT / network listening devices
- Switching or routing-based attacks
- SSH attacks
- Proxy server attacks
- Attacks on unnecessary open ports
- Database attacks
- AD attacks
- FTP/SMTP-based attacks
Network pentesting is commonly subdivided into either external or internal network penetration testing.
Internal network penetration testing is a type of security testing that focuses on the internal network of an organization. The goal is to identify weaknesses in the internal network infrastructure from the perspective of a compromised client machine (such as WFH employee device that had been hacked), an attacker that has been able to pivot into the internal network, or a malicious insider. It includes testing of the internal network architecture, firewalls, routers, switches, and other network devices, as well as system and application security.
External network penetration testing, on the other hand, focuses on the external network of an organization from the perspective of an external attacker. It involves testing of the external network infrastructure other systems accessible from the public Internet. The goal is to identify weaknesses in the external network infrastructure and any vulnerable systems or applications that could be exploited by malicious actors.
It is recommended that both internal and external network penetration tests be conducted at least once a year to ensure the security of a business’s mission-critical services.
Web Application
They are typically the most tempting target for hackers as they typically have a lot of exploitation paths. Web application penetration testing is a type of security testing that is used to identify security vulnerabilities in web-based applications. It is designed to simulate an attack on the web application to identify potential security risks and provide recommendations for mitigating those risks.
The goal is to identify any weaknesses in the application and its associated infrastructure that could be exploited by an attacker. It can also be used to verify that the existing security controls are effective and to identify areas where additional security controls may be necessary.
Vulnerabilities identified during this type of testing can include:
- Authentication and authorization vulnerabilities
- Session Management vulnerabilities
- Injection attacks such as XSS, SQL injection and more
- XXE
- CSRF
- Design flaws
- MiTM
- Configuration flaws
- SSRF
- File upload and file download vulnerabilities such as directory traversal
- And more
The purpose of conducting a web application pen test is to discover any security flaws or vulnerabilities in web-based applications including in backend components (APIs, Database, etc.) and Source Code.
Web Application Penetration Testing is an essential part of the security strategy of any organization that is building a SaaS or web application.
How often should web application pentesting be performed?
The short answer is that it depends.
As part of the currently popular Agile development approach, it is recommended to constantly refine the codebase in software application production. Agile code deployment is the preferred way to introduce changes to the codebase, as opposed to big batch deployments, as more variables brought into the code at once can increase the chances of encountering errors and security issues. In this case, targeted smaller pentests are recommended with each iteration.
By regularly performing tests, organizations can ensure that their web applications remain secure and that any potential vulnerabilities are identified and addressed before they can be exploited by an attacker. Testing should be a continuous process, as the security landscape is constantly evolving and new vulnerabilities are being discovered on a regular basis.
A larger annual third party pentest is also highly recommended in order to catch any vulnerabilities missed by targeted assessments.
When performing web application testing, BB-SEC follows multiple standards including the OWASP recommended methodologies to provide the highest ROI results possible.
API
API penetration testing is similar to web application pentesting but focuses on APIs solely. It can involve either or both server-to-server and client-to-server APIs.
Some vulnerabilities that apply to web applications do not necessarily apply to all APIs. For example, reflected XSS would not be applicable to server to server APIs unless the values of the vulnerable parameters are somehowparsed further such as being displayed in an internal UI.
Mobile Application
Mobile penetration testing is a security testing method that is used to assess the security of mobile applications, networks, and systems. This type of testing is conducted to evaluate the security of mobile applications, networks, and systems from potential threats, vulnerabilities, and other cyber-attacks.
Mobile penetration testing is an important security assessment process that helps organizations to identify and mitigate any potential risks or vulnerabilities in their mobile applications and associated networks and systems. This type of testing involves the use of specialized tools, techniques, and methods to assess the security of mobile applications and networks.
The security assessment performed during mobile penetration testing is designed to identify any weaknesses or vulnerabilities in the mobile application and network infrastructure. These weaknesses or vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive data or perform malicious activities.
The primary purpose of mobile penetration testing is to identify any potential threats and vulnerabilities in the mobile application and network infrastructure. During the testing process, the security tester will analyze things such as the following:
- The mobile application and any related network and system for any potential security vulnerabilities. The security tester will also determine if these vulnerabilities can be exploited to access sensitive data or perform malicious activities.
- The mobile application for any potential weaknesses that may be used to attack the mobile application. This includes assessing the application’s code and library components for any security flaws.
- The application’s authentication and authorization mechanisms to determine if they are secure.
- The mobile application’s network such as the APIs the mobile app may be making requests
- The mobile application’s data storage and encryption mechanisms to ensure that sensitive data is securely stored and protected from potential attackers.
- The application’s logging and reporting mechanisms to ensure that any potential security incidents are logged and reported in a timely manner.
Mobile penetration testing is an important security assessment process that helps organizations to identify and mitigate any potential risks or vulnerabilities in their mobile applications, networks, and systems. By performing this type of testing, organizations can ensure that their mobile applications, networks, and systems are secure and protected from potential attackers.
Embedded or IoT device
IoT penetration testing is a process of evaluating the security of Internet of Things (IoT) devices, networks, and applications. This type of testing is carried out to identify any potential security vulnerabilities in the system and to ensure that the system is secure and compliant with industry standards. It involves testing the system for potential vulnerabilities such as weak passwords, insecure protocols, or any other security flaws.
The purpose of an IoT penetration test is to identify any weaknesses in the system that could allow an attacker to gain access to the device, network, or application. This type of testing is done to ensure that the device, network, or application is secure and compliant with industry standards.
IoT penetration testing is an important part of ensuring the security of IoT systems. It helps to identify and address any potential security weaknesses in the system, as well as helping to ensure that the system is compliant with industry standards. It is important to ensure that all IoT systems are secure and compliant in order to ensure that they are not vulnerable to attack.
Cloud
Cloud penetration testing is a type of security testing that is used to identify any vulnerabilities in cloud-based systems. It is an important part of any cloud security strategy, as it helps to protect organizations from data breaches and other malicious activity.
Cloud penetration testing involves using automated tools and manual testing to evaluate the security of a cloud-based system. This includes testing the security of the cloud infrastructure, applications, and data. During a cloud penetration test, testers will identify any weaknesses in the system, such as authentication and authorization procedures, security configurations, and data storage.
The goal of cloud penetration testing is to identify any vulnerabilities before they can be exploited by attackers. This allows organizations to mitigate any security issues before an attacker can gain access to sensitive data or systems. Additionally, it can help organizations identify any areas where security measures need to be improved.
Cloud penetration testing is an essential part of any cloud security strategy. It is important for organizations to understand their cloud-based systems and take steps to protect them from potential threats. By regularly running cloud penetration tests, organizations can ensure that their systems are secure and protected from any malicious activity.
Thin or thick client
Client side penetration testing is employed to identify any potential security flaws or vulnerabilities in client-side programs or applications like email clients, web browsers (Chrome, Firefox, Safari, etc.), and executables. This testing is used to assess the risk of these applications and ensure they are secure.
Wireless
Wireless Penetration Testing is a specialized form of ethical hacking that is used to identify security vulnerabilities in a wireless network. It is used to assess the security of a wireless network and identify any potential threats or weaknesses that could be exploited by an attacker. Wireless Penetration Testing is similar to traditional Penetration Testing, but the primary difference is that it focuses on wireless technologies such as Wi-Fi networks.
Wireless Penetration Testing is often used by organizations to verify the security of their wireless networks and ensure that they are adequately protected.
Social Engineering
It is a unique type of pentesting as it focuses on the humans rather than on software. Social engineering testing is a process of attempting to gain access to company information or resources by exploiting the human element of security. It involves using manipulative techniques to gain access to confidential information, data, or resources from an organization or individual. This type of testing is designed to simulate real-world attacks, and is often conducted by ethical hackers.
Social engineering testing is becoming increasingly important as the use of technology and the Internet grows. Attackers are becoming more sophisticated in their techniques, and as a result, organizations must be prepared to respond to such attacks. Social engineering testing can help organizations identify vulnerabilities in their security systems and assess the impact of potential attacks.
Humans remain one of the biggest attack paths for organizations. After all, it does not matter how secure firewalls are if an internal user takes their device home and accidentally downloads malware after clicking on a phishing email they received.
Social engineering testing is typically conducted in two ways: in-person or remote. In-person testing involves an ethical hacker visiting an organization and attempting to gain access to information or resources by manipulating employees. An ethical hacker may pose as an employee, vendor, customer, or other individual in order to gain access to confidential information or resources. Remote testing involves an ethical hacker attempting to gain access to information or resources by exploiting vulnerabilities in a system or network.
In either case, social engineering testing is designed to identify weaknesses in an organization’s security systems, including lack of employee awareness, lack of security controls, or other security-related issues. The goal of social engineering testing is to help organizations identify and address potential weaknesses in their security systems, processes and training before they can be exploited by malicious actors.
The results of social engineering testing can be used to make recommendations for improving an organization’s security posture. This can include implementing more robust security controls, establishing employee awareness training, or updating policies and procedures. Social engineering testing can also help organizations ensure that their security systems are up to date and functioning as intended.
Physical
Physical penetration testing is a type of security testing that focuses on assessing the physical security of a system or building. The goal of this type of testing is to identify any weaknesses in the physical security of the system or building, and to create a plan to remediate them. It is important for business with significant on-premise assets such as locations with private servers containing critical data.
Physical penetration testing usually starts with a security assessment of the physical environment. This includes examining the layout of the building, the security measures in place, and the access points to the system or building. From there, the security team can determine which areas are most vulnerable to attack, and create a plan to test these areas. This plan typically involves testing each security measure in place, such as locks, alarms, CCTV systems, and guards.
Once the testing plan has been created, the testers will then simulate physical attacks on the system or building. This can include attempting to gain access to the building, breaking into locked areas, or trying to bypass the security measures in place. During the testing process, the security team will document any weaknesses they find, and make recommendations for how to strengthen the security of the system or building.
After the physical penetration testing is complete, the security team will create a report detailing the findings and recommendations. This report should include detailed information about the security measures in place, the areas that were most vulnerable to attack, and any recommendations for strengthening the security of the system or building.
Physical penetration testing is an important part of any security program, as physical security of hardware containing critical data is often ignored. By simulating real-world attacks, security teams can gain insight into the weaknesses of their security measures, and create a plan for remediation.
What are the different types of pentesting by information approach?
Pentests can also be classified based on the amount of information disclosed to the testers. These types of testing are known as white box, black box, and gray box pen tests. Each type has its benefits as discussed in detail in the Black Box Vs White Box Vs Gray Box Penetration Testing article.
White Box Tesing
White box penetration testing (also known as clear box testing, transparent box testing, or structural testing) is a method of testing software applications that gives the tester full knowledge of the inner workings of the system. It allows the tester to look at the source code, architecture, and design of the software application. The purpose of this type of testing is to identify the most security vulnerabilities and other weaknesses in the system.
Black Box Tesing
Black box penetration testing is a type of security testing that is performed on a system or application without any prior knowledge of its internal architecture or code. This type of testing is often used to identify potential security vulnerabilities thast could be realistically found by an outside intruder. It often involves techniques such as fuzzing, input validation, and brute-force attacks. It is also known as “blind testing” or “black box testing.”
Gray Box Testing
Gray box penetration testing is a type of security assessment that combines both black box and white box testing. During this type of test, the tester has limited knowledge of the underlying system architecture and configuration. This knowledge consists of usernames, IP addresses, and other relevant information. The tester will use this information to attempt to gain access to the system and then attempt to identify vulnerabilities.
What are the different types of penetration testing by scoping approach?
A penetration test can also be categorized either as a general test or a targeted test:
A targeted penetration test is a type of security assessment that focuses on a specific system, function, or even changes from a minor pull request.
A general penetration test is a type of security assessment that tests the security of an entire organization or application without scope limitations.